CrossWind CyberScheduler websyncd remote Buffer Overflow Vulnerability

Note: This vulnerability only applies to CyberScheduler Version 2.1.

CrossWind CyberScheduler is a team-oriented scheduling and calendaring package designed for use in corporate Intranets. It consists of two distinct parts--a set of CGI scripts on a Web server, and a set of daemons (or services) on a database server. Both parts are available for Windows NT, Linux, and a range of UNIX platforms, including Solaris.

One of the CyberScheduler daemons 'Websyncd' (Websyncd.exe on Windows NT) contains an exploitable buffer overflow in its timezone string parser. A timezone string is passed to Websyncd by the Websync.cgi program (Websync.exe on Windows NT) through the tzs form variable. Websyncd reserves 262 bytes on the stack for the timezone string, but no bounds checking is performed in either Websync.cgi or Websync. Therefore, a stack overflow can occur in Websyncd if a long string is specified in the tzs variable in a request to Websync.cgi. Because Websyncd runs as root (on UNIX platforms), a stack overflow allows arbitrary code execution as root.

Additionally, because the overflow occurs before Websync.cgi can verify any logon credentials, unprivileged remote users can exploit this vulnerability.

By exploiting this vulnerability, a stack overflow may occur, and, on UNIX platforms, the stack overflow may allow arbitrary code execution as root.

Upgrade to CyberScheduler Version 2.1.6. This version is available from CrossWind's Download page.